Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extra security for GraphiQL #3168

Merged
merged 3 commits into from
Dec 6, 2023
Merged

Extra security for GraphiQL #3168

merged 3 commits into from
Dec 6, 2023

Conversation

amcaplan
Copy link
Contributor

@amcaplan amcaplan commented Dec 4, 2023
edited
Loading

WHY are these changes introduced?

There's some potential for damage via the not-quite-yet-released GraphiQL. If someone guesses your Cloudflare tunnel URL, they can find GraphiQL and start causing trouble on your dev store. (Not your prod store, of course, as you can't dev on those.)

WHAT is this pull request doing?

Adds a measure of security. Generates a 16-byte random key during startup, and requires that key for accessing GraphiQL.

The frontend UI and operation execution endpoints are the most in need of security.

How to test your changes?

Run GraphiQL. Change the key in the URL and see that it fails.

You can also open the network tab, copy a request as CURL, and see it succeeds. Then change the key and observe it fail.

Measuring impact

How do we know this change was effective? Please choose one:

  • n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix
  • Existing analytics will cater for this addition
  • PR includes analytics changes to measure impact

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've made sure that any changes to dev or deploy have been reflected in the internal flowchart.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 4, 2023

Thanks for your contribution!

Depending on what you are working on, you may want to request a review from a Shopify team:

  • Themes: @shopify/advanced-edits
  • UI extensions: @shopify/ui-extensions-cli
    • Checkout UI extensions: @shopify/checkout-ui-extensions-api-stewardship
  • Hydrogen: @shopify/hydrogen
  • Other: @shopify/cli-foundations

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 4, 2023
edited
Loading

Coverage report

St.
 Category Percentage Covered / Total
🟡 Statements
73.01% (-0.07% 🔻)
 6257/8570
🟡 Branches
70.61% (-0.1% 🔻)
 3044/4311
🟡 Functions
71.72% (-0.03% 🔻)
 1585/2210
🟡 Lines
74.17% (-0.04% 🔻)
 5942/8011
Show files with reduced coverage 🔻
St.
 File Statements Branches Functions Lines
🔴
... / server.ts
1.28% (-0.15% 🔻)
 0% 0%
1.35% (-0.1% 🔻)

Test suite run success

1494 tests passing in 670 suites.

Report generated by 🧪jest coverage report action from 306c0f6

@amcaplan amcaplan changed the title Securer GraphiQL Extra security for GraphiQL Dec 4, 2023
@amcaplan amcaplan merged commit ad963fc into main Dec 6, 2023
@amcaplan amcaplan deleted the securer-graphiql branch December 6, 2023 10:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shauns shauns shauns approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@amcaplan @shauns